Quick Takeaways
- New US state privacy laws add DSAR obligations fast.
- Texas, Oregon, Montana, and Delaware have active laws now.
- Build DSAR compliance before a request arrives, not after.
- Consumer privacy rights include access, correction, portability, erasure.
- 4Comply automates DSAR intake, deadlines, and response generation.
- A quarterly review keeps your DSAR program on track.
Many marketing teams have had a process in place for data subject access requests for a few years now: an intake form, a defined response timeline, and at least one person who owns the queue.
But the legal landscape has shifted significantly since 2023. More than a dozen US states have enacted comprehensive privacy laws with consumer privacy rights provisions, each creating new DSAR compliance obligations for marketing teams. Texas, Oregon, Montana, Delaware, Iowa, New Hampshire, and New Jersey all have active laws today. If your current process was designed for California and GDPR, it may already fall short for the contacts in other states where you actively market.
This guide covers the foundational elements: what data subject access requests are, what the updated legal environment requires of marketing teams in 2025 and beyond, and how to build a compliant, customer-respectful process that works across the full range of laws that now apply to your contacts.
What a Data Subject Access Request Actually Is
Data subject access requests give individuals the legal right to ask an organization about the personal data it holds. Depending on the applicable privacy law, a request may ask the company to confirm what data exists, correct inaccurate records, delete personal information, or transfer it to another organization.
Most privacy laws and the GDPR recognize four core consumer privacy rights that can trigger data subject access requests:
- Right to access: Confirm what data a company holds and how it is used.
- Right to correction: Update inaccurate or outdated personal information.
- Right to portability: Receive data in a portable, machine-readable format.
- Right to erasure: Request that personal data be deleted, often called the “right to be forgotten.”
For marketers, data subject access requests most commonly arrive when a contact wants to know what your database holds about them, why they receive certain communications, or how their behavioral data is being used. These interactions sit at the intersection of data privacy marketing and customer trust. Handled well, they are an opportunity to demonstrate responsible data stewardship.
The US State Privacy Law Landscape Has Changed
When this post was first published in 2023, California’s CPRA was the primary US benchmark for DSAR compliance outside of GDPR. That is no longer the case. A significant number of state privacy laws have taken effect since then, each creating new consumer data rights obligations for marketing teams.
| State | Law | Effective Date |
|---|---|---|
| Texas | Texas Data Privacy and Security Act (TDPSA) | July 1, 2024 |
| Oregon | Oregon Consumer Privacy Act (OCPA) | July 1, 2024 |
| Montana | Montana Consumer Data Privacy Act (MCDPA) | October 1, 2024 |
| Florida | Florida Digital Bill of Rights (FDBR)* | July 1, 2024 |
| Delaware | Delaware Personal Data Privacy Act (DPDPA) | January 1, 2025 |
| Iowa | Iowa Consumer Data Protection Act (CDPA) | January 1, 2025 |
| New Hampshire | SB 255 | January 1, 2025 |
| New Jersey | SB 332 | January 15, 2025 |
| Indiana | Indiana Consumer Data Protection Act | January 1, 2026 |
*Florida’s Digital Bill of Rights applies to controllers with annual revenues above $1 billion.
The Texas Data Privacy and Security Act, effective July 1, 2024, grants Texas residents the same core rights found in CPRA: access, correction, deletion, and portability. Oregon and Montana followed shortly after with their own laws. The IAPP’s US State Privacy Legislation Tracker currently documents 19 states with comprehensive privacy laws in force, and that count continues to grow.
For a detailed breakdown of what recent legislation means for US-based marketing teams, New State Privacy Laws in 2025 covers the full picture.
Why this matters for your process: Each of these US state privacy laws sets its own response timeframe. Most allow 45 days with a possible 45-day extension. GDPR gives one calendar month. If your contacts span multiple states, your workflow must apply the correct rules based on where each requestor resides. Data subject access requests coming from a Texas resident and a California resident may be subject to different timelines and procedures, so a one-size approach creates compliance risk.
Do’s for Handling Data Subject Access Requests
Plan Your Process Before a Request Arrives
The most common DSAR compliance mistake is building the process reactively. A request lands and the team scrambles to locate data across CRM systems, marketing automation platforms, and analytics tools, all while a response deadline counts down.
How to apply it: Map every system that holds personal data and assign a clear owner for each. Define your response timeline based on the laws that apply to your audience. If any of the US state privacy laws that govern your contacts have not yet taken effect, use that window to get ready. A documented process is also your strongest defense if a regulator ever asks how you handle data subject access requests.
Create an Accessible Intake Channel
Most comprehensive privacy laws require organizations to offer multiple channels for submitting data subject access requests. An online form is the most scalable option: easy for contacts to use, straightforward for your team to process, and designed for automation.
Pair your intake channel with sound data segmentation and consent management practices so that once a request arrives, you can locate and act on the relevant data quickly and without creating unnecessary friction.
Verify Identity Proportionally
You need to confirm who is submitting a request before sharing or deleting personal data. That verification should fit the sensitivity of the request. For a basic access request, a confirmation link sent to the email address on file is usually sufficient. For a deletion request involving sensitive records, a second step is appropriate.
Overly burdensome verification for routine data subject access requests creates friction that undermines the consumer privacy rights your contacts are legally entitled to exercise.
Train Everyone Who Might Receive a Request
Your marketing ops team is not the only group that receives data subject access requests. Customer service, sales, and field teams may encounter them first. Everyone involved should know what the request is, where to route it, and how quickly a response is required.
A one-page SOP and a clear escalation path are usually enough. The goal is that no data subject access request gets delayed or mishandled because of confusion about who owns it.
Don’ts That Create Compliance Risk
Don’t Require an Account to Submit a Request
Several privacy laws, including CPRA, explicitly prohibit requiring account creation as a condition for submitting data subject access requests. Beyond the legal exposure, account gates signal that your organization is more focused on protecting its own data than on respecting consumer rights. Remove the requirement from your intake flow entirely.
Don’t Let Response Deadlines Slip
Missed deadlines are one of the most common triggers for enforcement action under DSAR compliance rules. Most US state privacy laws give 45 days to respond, with a 45-day extension if you notify the requestor. GDPR gives one calendar month. Teams managing data subject access requests manually are most at risk during high-volume periods.
4Comply automates deadline tracking, acknowledgment emails, and request routing so that each request moves through your process on a tracked timeline rather than relying on individual follow-through.
Once your process is running, regular check-ins keep it healthy. 3 Data Subject Request Topics for Quarterly Review covers the three operational areas worth examining each quarter to stay ahead of issues before they escalate.
Don’t Collect More Than You Need to Verify
Data minimization applies to your verification process as much as it applies to your marketing database. Collect only what you need to confirm identity and locate the record. Asking for a government ID and a phone number when an email address is sufficient creates unnecessary exposure and erodes the consumer privacy rights your contacts are entitled to exercise.
Keeping your verification requirements proportionate also demonstrates that your organization treats data subject access requests as a genuine service obligation rather than an obstacle to manage.
Why DSAR Automation Is No Longer Optional
In 2023, DSAR automation was a good-to-have for most marketing teams. With more than a dozen state privacy laws active and enforcement activity rising, it is becoming a standard operational requirement for handling data subject access requests at scale.
As data privacy automation tools have matured, the technical barrier to DSAR automation has fallen significantly. Modern platforms handle intake, verification, routing, and deadline management through workflow configurations that a marketing ops team can own without IT involvement. When DSAR automation is in place, requests move on a tracked timeline instead of relying on manual follow-through.
Even teams starting from scratch can reduce risk significantly by automating two steps first: the acknowledgment email on receipt and the deadline reminder before the response window closes. Those two DSAR automation actions eliminate the most common failure points without requiring a full platform overhaul.
Conclusion
Managing data subject access requests is no longer a once-a-year compliance exercise reserved for large enterprise legal teams. With a growing roster of US state privacy laws covering residents from Texas to Montana to New Jersey, handling these requests correctly is a routine responsibility for any marketing team that holds personal data on individuals. A well-designed process built on accessibility, clear timelines, and genuine respect for consumer privacy rights strengthens the customer relationship rather than just satisfying a legal requirement.
If your current process was built before 2024, now is the right time to review and update it. Contact 4Thought Marketing to learn how 4Comply can help you build a DSAR process that works across every law that applies to your audience.
Frequently Asked Questions
What are data subject access requests, and who can submit them?
Data subject access requests are formal requests from individuals asking an organization to disclose, correct, delete, or transfer the personal data it holds about them. Any individual whose data is held by an organization may submit one if they are covered by an applicable privacy law such as GDPR, CPRA, or an active US state law.
Which US states now require companies to handle these requests?
As of 2025, US state privacy laws with DSAR provisions include California (CPRA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Delaware (DPDPA), Iowa (CDPA), Virginia (CDPA), Connecticut, Colorado, New Hampshire, New Jersey, and others. Indiana’s law takes effect in January 2026. Organizations marketing to residents of these states should have a documented process in place for responding to requests.
How long does a company have to respond to data subject access requests?
Most state privacy laws require a response within 45 days of receiving a valid, verified request, with a 45-day extension available if you notify the requestor in advance. GDPR requires a response within one calendar month. Response windows typically start from the date a complete, verified request is received.
Can I require someone to create an account before they can submit a request?
No. Laws such as CPRA explicitly prohibit requiring account creation as a condition for submitting data subject access requests. Your intake process must allow any individual to submit a request without first creating an account.
What is the most common reason companies fail at DSAR compliance?
Missed response deadlines are the most frequently cited DSAR compliance failure in regulatory enforcement actions. Teams handling requests manually are most vulnerable during high-volume periods. Automating the acknowledgment email and the deadline reminder eliminates the most common failure points in managing these requests.
Do B2B marketing teams need to respond to these requests?
Yes. B2B marketing databases contain personal data tied to individual contacts. If those contacts are residents of states with active privacy laws, or are EU residents covered by GDPR, they hold consumer privacy rights regardless of the B2B context. Any marketing team holding personal data on individuals should have a clear process in place.